It strikes me that not many organizations enable Dynamic Arp inspection or DAI for short, on their switches users connect to. Why bother with DAI anyway you might ask. I would say this is something that it easy to activate to make switch block ARP messages that are not legit on your network. Those ARP messages can be utilized by an attacker to trick devices on a segment that the attacker computer is the router which will make traffic from client computers go to the attackers computers instead of the router.
First we need to think about how ARP work. When a host want to communicate with another host and it does not know the MAC address of the target host it send out an ARP messages asking who has this IP address, the target host should then do an ARP reply saying I have the IP address and MAC address you asked for. Next the communication can be established on Layer two between the learned mac addresses.
In comes the bad host answering the ARP reply (even though it should not) or sending a Gratuitous ARP (sort of an ARP reply without anyone asking for it). ARP reply can then contain the asked for IP address but with the MAC address of the bad host tricking the other host to send traffic to the bad host instead of the intended host.
This can be stopped by enabling DAI on the switch which is quite easy.
ip arp inspection vlan x , where x is the vlan you enable DAI on
ip arp inspection vlan 101
To see info about DAI you use "show ip arp inspection"
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
101 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
101 Deny Deny Off
But how does the switch know what mac address and IP addresses are legit?
It uses the DHCP binding database. So to be able to use DAI you must first enable DHCP snooping to make switch to build the dhcp binding database (see my previous posts about DHCP ). This will introduce a problem for hosts with a static IP address not received from a DHCP server, the IP and MAC address binding is not in the snooping database on switch and will therefore be blocking the ARP replies making other hosts not be able to communicate with the host with static IP address since no one will learn its MAC address.
You will see this in the switch log.
*May 9 12:53:55.779: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Et0/0, vlan 101.([0000.0c9f.f065/10.1.101.1/5000.0012.0000/10.1.101.11/14:53:54 EET Sun May 9 2021])
Log entry means that port E0/0 , vlan 101 has blocked an arp packet from 10.1.101.1 with MAC 0000.0c9f.f065 going to 10.1.101.11 with MAC 0000.0c9f.f065
There is two solutions to this. You can either set the interface as trusted.
SW3(config-if)#ip arp inspection trust
similar to the DHCP trusted ports function.
You probably do this with the uplink interface leading to other switches and routers. But remember that it is basically the same as disabling ARP inspection on that interface.
Or you can create a static binding with mac address, IP address, vlan and interface.
This is accomplished by creating an ARP access list and then apply it to the vlan.
arp access-list VLAN101
permit ip host 10.1.101.1 mac host 0000.0c9f.f065
Add as many IP address to MAC address mapping you need in this ACL and then apply the ARP ACL to the vlan
ip arp inspection filter VLAN101 vlan 101
You have now allowed a host to make ARP reply with IP address 10.1.101.1 to use MAC address of 0000.0c9f.f065 on vlan 101.
You can configure a lot more with DAI, such as rate limit and logging and what parameters in the ARP package to verify.
With "show ip arp inspection" we saw that there was no inspection of mac-addresses and IP address. I suggest you enable validation of these fields in the ARP package.
ip arp inspection validate src-mac dst-mac ip
To rate limit ARP packages use the interface command "ip arp inspection limit rate x" where x is number of ARP packages per second. Default is 15 which might is too small on a trunk interfaces.
You see, DAI is not that complicated at all and is easy to enable.
